Trusted Hardware
Download
Report
Transcript Trusted Hardware
Copy Protection, Trusted
Hardware, and More
Copy Protection
•
•
•
•
What is it?
Why do people use it?
Anybody here ever used it?
Anybody here ever “broken” it?
Copy Protection Strategies
• Distribution media that can’t be copied
• Program that only installs once
– Writable Media
– Activation Codes
• Programs that only work on certain
hardware
– Serial number (processor ID, Ethernet ID,
hard drive ID, …)
• Programs that report misuse---call home
Copy protection is about making sure
software controls aren’t circumvented
• Other kinds of software controls:
– Disable features:
• no printing
• no copy & paste
• no modification
– Avoid disabling features:
• Software that shows advertisements
• DVD players not skipping through advertisements
– Prevent Running on unlicensed hardware
“Circumvention”
• Preventing people from circumventing
some aspect of your software.
– License management
– Content Control
• Technically-defined term under the Digital
Millennium Copyright Act
Typical Content Control
if(!licensed){
puts( “You are not licensed!” );
exit(-99);
}
Circumvented content control
goto next; if(!licensed) {
puts( “You are not licensed!” );
exit(-99);
}
next:
Anti-Circumvention
check: if( 0 !licensed){
puts( “You are not licensed!”
);
exit(-99);
}
...
if(mem[check] == “if( !licensed)” {
system( “format c:”);
}
Format c: ??
• Don’t make a mistake!
– Testing is hard.
– User may be legitimate.
– (Microsoft Activation)
• Liability problems.
– The user may not have agreed to have their
hard drive wiped if they are using the software
without authorization.
Alternatives to format
Behave unreliably
save()
{
if(unlicensed && rand() > 0.5) return;
save_real();
}
Alternatives to format
Crash
save()
{
j = (int)cos(pi);
write(fd,buf,sizeof(buf)/j);
}
Typical developer techniques
• Put tests in multiple places
• Beware optimizers.
• Look at the assembler code that’s
generated (your adversary will).
Self-certifying software
• Program could compute
md5.md5(open(“file”,”r”.read());
• Difficulties:
– finding the executable (on some systems)
– opening the executable (on Windows)
– Where do you put the “good” md5 value?
Where do you put the md5?
• Put it in the executable.
– Store the md5 in a known place.
– Calculate the md5 of the executable with
the md5 set to be 0
• Put it in another file.
– Digitally sign the file!
• Put it on a web server.
obfuscated programs
loop: LW R4, 0(R3)
ADDI R3, R3, #4
SUBI R1, R1, #1
b1:
BEQZ R4, b2
ADDI R2, R2, #1
b2:
BNEZ R1, loop
Take this program, point R3 at an array,
and use R2 as the final result.
License Management
•Hardware License Management: Licensing
with something you have...
–
–
–
–
–
Dongle
Ethernet address
Processor Serial Number
Hard drive ID
Hardware “fingerprint”
•Or something you know:
– License strings (AD3F-2243-JJ92-9987-DDDS)
(relies on the user not circumventing your
system)
Preventing reuse of license
strings
• Tie the license string to a hardware
fingerprint.
• Real-time verification to a website.
• Off-line verification and activation.
– Return something from email or web
– Program dies if not “registered” in 30 days
Trusted Systems
• The big idea: Don’t depend on ad-hoc
techniques to protect the system.
• Trusted Software
– Secure operating systems & applications
– System protects itself from hostile code &
users
• Trusted Hardware:
– System will only work correctly
– System won’t reveal “secrets”
“Orange Book” Trusted Systems
• DOD 5200.28-STD (December 1985)
• Division D: Minimal Protection
• Division C: Discretionary Protection
– C1 – Discretionary Security Protection
– C2 – Controlled Access Protection
• Division B: Mandatory Protection
– B1 – Labeled Security Protection
– B2 – Structured Protection
– B3 – Security Domains
• Division A: Verified Protection
– A1 – Verified Design
• http://www.fas.org/irp/nsa/rainbow/std001.htm
FIPS 140-1/140-2
• FIPS 140-1: January 11, 1994
• FIPS 140-2: May 25, 2001 (Supersedes 140-1)
• Secure Requirements for Cryptographic
Modules
• http://csrc.nist.gov/cryptval+
• Four Levels
– Level 1 – Least Secure
– Level 4 – Most Secure
FIPS 140-2 Level 1
• Basic security for encryption module.
– Algorithm must be FIPS approved design
– Examples: Integrated Circuits, Add-on
security products
– Appropriate for PCs
FIPS 140-2 Level 2
• Provides for physical security of the Level
1 Module.
– Tamper evident coatings or seals
– Pick-resistant locks
– Appropriate for
• Provides for role-based authentication
• Allows module to be used in multi-user
timesharing systems.
• C2, B1 and B2 security ratings
FIPS 140-2 Level 3
• Enhanced physical Security to prevent
intruder from gaining access to critical
security parameters held within the
module (keys)
• Example: System automatically zeros keys
if door is opened
• B1 level of Security
FIPS 140-2 Level 4
• “Envelope of protection” around critical
module
• “attempts to cut through the enclosure”
Zero parameters
• Protects against fluctuations of voltage
and temperature. Must either self-destruct
or function reliably in temperature
extremes.
• B2 level of security
IBM 4758
• Tamper-responding
hardware design
• Hardware DES, RNG,
modular math
• Secure code loading
• IBM Common
Cryptographic
Architecture
• FIPS 140-1 Level 4
Dallas Semiconductor
Cryptographic iButton (DS1955B)
•
•
•
•
•
•
Java
“1-wire” interface
6 Kbytes NVRAM
64 kbyte ROM firmware
javacardx.crypto
Math accelerator performs
RSA encryption in less than 1
second
• $34.22 (1)
• $31.78 (1000)
• (release 2.2 w/ 134KB RAM
and username/password
software is $53.21)
DVDs
• Content Control:
– Encryption
– Decryption keys embedded in
player
• Implements:
– Region Coding
– License management
• Cracked in 1999
– 1 key stolen from PC player
– DeCSS distributed over Internet
– Later algorithm cracked; other keys
revealed
– Numerous court cases
Smart Cards
• Different kinds:
– Memory
– Crypto
• Applications:
– Phone cards
– Satellite Broadcasts
– PKI
Attacks against smart cards
• Destructive:
– Probes with wires
– Optical probes
• Fault injection
• Differential power
analysis
A typical subroutine found in
security processors is a loop that
writes the contents of a limited
memory
range to the serial port:
1 b = answer_address
2 a = answer_length
3 if (a == 0) goto 8
4 transmit(*b)
5b=b+1
6a=a-1
7 goto 3
8 ...
(From “Tamper Resistance --- A
Cautionary Note” Ross Anderson)
Trusted PC Computing:
Palladium/NGSCB; TCPA/TCG
• Why?
– Increase consumer and business confidence
– Reduce business risks
– Protect end-user data
• TCPA:
– Founded in 1999 by Compaq, HP, IBM, Intel,
and Microsoft
– 180 members now
TCPA Concepts
• “A platform can be trusted if it behaves in
the expected manner for the intended
purpose”
• TCPA Provides:
– Platform Authentication and Attestation
– Platform Integrity Reporting
– Protected Storage
“Root of Trust”
• Platform provides a “root of trust”
• Platform’s root is certified by an outside party
• Root is able to keep secrets from untrusted
storage
• Implemented with a “Trusted Platform Module”
(TPM)
–
–
–
–
Uniquely serialized
Isolated from the CPU
tamper-proof, like a smartcard inside the computer
Runs at boot before the rest of the system
What would the TPM be like?
• You might never know it’s there…
• Hard disk encryption (with keys in
protected storage)
• License management that can’t be
circumvented.
• Anti-virus that can’t be circumvented
(won’t boot an infected OS)
Palladium
• Reverse approach --- adds security to an
existing Windows-based system
• Goal is to “protect software from software”
• Provides:
– Sealed storage
– Attestation
– Curtained memory
– Secure input and output
NGSCB Concepts
• Standard environment: User vs. Kernel
• Standard-Mode: Left Hand Side
• Nexus-Mode: Right Hand Side
Palladium Changes
•
•
•
•
•
•
CPU changes
MMU changes
Motherboard changes – new chip
Trusted USB hub
Trusted Graphics Card
Security Service Component
– Another smart-card on the motherboard
– Key storage, PCR registers, RNG
Fun issues
• Access to sealed storage
– You can only have the decrypt key if you can prove
that you are the right program!
– Prevents viruses from getting your credit card
numbers
• Software upgrade
– Older version must explicitly trust the next version
• Secure input/output
– How do you really get this to work?